首先嘗試創建一個ACL
07:20:03 SQL> declare
ace_list xs$ace_list;
begin
ace_list:=xs$ace_list(xs$ace_type(privilege_list=>xs$name_list('"administer_session"'),granted=>true,principal_name=>'xs_user_10'),
xs$ace_type(privilege_list=>xs$name_list('"create_session"','"modify_session"','"attach_session"'),granted=>true,principal_name=>'xs_user_11'),
xs$ace_type(privilege_list=>xs$name_list('"create_session"','"modify_session"'),granted=>true,principal_name=>'xs_user_12'));
xs_acl.create_acl(name=>'wgz_acl',ace_list=>ace_list,sec_class=>'sessionprivs',description=>'wgz session management');
end;
/
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.17
創建上面的三個application user,并將ACL賦予這三個用戶,
07:22:58 SQL> exec xs_principal.create_user(name=>'xs_user_10',schema=>'sys',acl=>'wgz_acl');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
07:42:52 SQL> exec xs_principal.set_password(user=>'xs_user_10',password=>'tdetest2');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
07:43:15 SQL> exec xs_principal.create_user(name=>'xs_user_11',schema=>'sys',acl=>'wgz_acl');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
07:44:34 SQL> exec xs_principal.set_password(user=>'xs_user_11',password=>'tdetest2');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
07:45:18 SQL> exec xs_principal.create_user(name=>'xs_user_12',schema=>'sys');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
07:46:33 SQL> exec xs_principal.set_acl(principal=>'xs_user_12',acl=>'wgz_acl');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
查看創建的ACL及ACE
08:12:23 SQL> select name,owner,security_class,security_class_owner,description from dba_xs_acls;
NAME OWNER SECURITY_CLASS SECURITY_CLASS_ DESCRIPTION
------------------------------------------------------------ ---------- --------------- --------------- ----------------------------------------------------------------------
SYSTEMACL SYS SYSTEM SYS Default ACL for System Security Class
XS$SCHEMA_ACL DBSFWUSER SYSTEM SYS
SESSIONACL SYS SESSION_SC SYS Default ACL for Session Security Class
NS_UNRESTRICTED_ACL SYS NSTEMPLATE_SC SYS Seeded ACL to grant ADMIN_NAMESPACE privilege to PUBLIC
NETWORK_ACL_B193F39A153A639FE0537885E50AB8A6 SYS NETWORK_SC SYS ACL for host *:*
NETWORK_ACL_B194333D66523F0AE0537885E50A8396 SYS NETWORK_SC SYS ACL for web service access from MDSYS
WGZ_ACL PDBADMIN SESSIONPRIVS PDBADMIN wgz session management
08:15:49 SQL> select acl,owner,ace_order,grant_type,principal,principal_type,privilege,security_class,security_class_owner from dba_xs_aces order by acl,ace_order;
ACL OWNER ACE_ORDER GRANT PRINCIPAL PRINCIPAL_T PRIVILEGE SECURITY_CLASS SECURITY_CLASS_
-------------------------------------------------- ---------- ---------- ----- -------------------- ----------- -------------------- --------------- ---------------
NETWORK_ACL_B193F39A153A639FE0537885E50AB8A6 SYS 1 GRANT GSMADMIN_INTERNAL DATABASE RESOLVE NETWORK_SC SYS
NETWORK_ACL_B193F39A153A639FE0537885E50AB8A6 SYS 2 GRANT GGSYS DATABASE RESOLVE NETWORK_SC SYS
NETWORK_ACL_B194333D66523F0AE0537885E50A8396 SYS 1 GRANT MDSYS DATABASE CONNECT NETWORK_SC SYS
NS_UNRESTRICTED_ACL SYS 1 GRANT PUBLIC DATABASE ADMIN_NAMESPACE NSTEMPLATE_SC SYS
NS_UNRESTRICTED_ACL SYS 2 GRANT XSPUBLIC APPLICATION ADMIN_NAMESPACE NSTEMPLATE_SC SYS
SESSIONACL SYS 1 GRANT XS_SESSION_ADMIN DATABASE ADMINISTER_SESSION SESSION_SC SYS
SESSIONACL SYS 2 GRANT XSSESSIONADMIN APPLICATION ADMINISTER_SESSION SESSION_SC SYS
SESSIONACL SYS 3 GRANT U_2 DATABASE MODIFY_SESSION SESSION_SC SYS
SYSTEMACL SYS 1 GRANT SYS DATABASE CALLBACK SYSTEM SYS
SYSTEMACL SYS 1 GRANT SYS DATABASE PROVISION SYSTEM SYS
SYSTEMACL SYS 2 GRANT XSPROVISIONER APPLICATION CALLBACK SYSTEM SYS
SYSTEMACL SYS 2 GRANT XSPROVISIONER APPLICATION PROVISION SYSTEM SYS
SYSTEMACL SYS 3 GRANT PROVISIONER DATABASE CALLBACK SYSTEM SYS
SYSTEMACL SYS 3 GRANT PROVISIONER DATABASE PROVISION SYSTEM SYS
SYSTEMACL SYS 4 GRANT DBA DATABASE ADMIN_ANY_SEC_POLICY SYSTEM SYS
SYSTEMACL SYS 7 GRANT DBA DATABASE ADMIN_ANY_NAMESPACE SYSTEM SYS
SYSTEMACL SYS 8 GRANT XS_NAMESPACE_ADMIN DATABASE ADMIN_ANY_NAMESPACE SYSTEM SYS
SYSTEMACL SYS 9 GRANT XSNAMESPACEADMIN APPLICATION ADMIN_ANY_NAMESPACE SYSTEM SYS
SYSTEMACL SYS 10 GRANT MIDTIER_AUTH APPLICATION ADMIN_ANY_NAMESPACE SYSTEM SYS
SYSTEMACL SYS 11 GRANT OLAP_XS_ADMIN DATABASE ADMIN_SEC_POLICY SYSTEM SYS
SYSTEMACL SYS 12 GRANT SEC_MGR DATABASE PROVISION SYSTEM SYS
SYSTEMACL SYS 13 GRANT PDBADMIN DATABASE PROVISION SYSTEM SYS
WGZ_ACL PDBADMIN 1 GRANT XS_USER_10 APPLICATION administer_session SESSIONPRIVS PDBADMIN
WGZ_ACL PDBADMIN 2 GRANT XS_USER_11 APPLICATION attach_session SESSIONPRIVS PDBADMIN
WGZ_ACL PDBADMIN 2 GRANT XS_USER_11 APPLICATION create_session SESSIONPRIVS PDBADMIN
WGZ_ACL PDBADMIN 2 GRANT XS_USER_11 APPLICATION modify_session SESSIONPRIVS PDBADMIN
WGZ_ACL PDBADMIN 3 GRANT XS_USER_12 APPLICATION create_session SESSIONPRIVS PDBADMIN
WGZ_ACL PDBADMIN 3 GRANT XS_USER_12 APPLICATION modify_session SESSIONPRIVS PDBADMIN
XS$SCHEMA_ACL DBSFWUSER 1 GRANT DBSFWUSER DATABASE ADMIN_SEC_POLICY SYSTEM SYS
29 rows selected.
Elapsed: 00:00:00.02
上面通過ACL賦予xs_user_10的administer_session權限是管理application session,也可以說是light weight session,如果想創建database session,也就是heavyweight session,則必須另外賦予role
[oracle@scaqai06adm07 bin]$ ./sqlplus "xs_user_10/tdetest2@scaqai06adm07:1521/tdetest2pdb10888"
SQL*Plus: Release 21.0.0.0.0 - Production on Mon Feb 15 08:27:44 2021
Version 21.1.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
ERROR:
ORA-01045: user XS_USER_10 lacks CREATE SESSION privilege; logon denied
上面報錯的原因就是因為沒有創建heavyweight session的權限
08:29:09 SQL> exec xs_principal.grant_roles('xs_user_10','xsdba');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
現在驗證ACL是不是起了作用
使用xs_user_10能夠直接登錄資料庫,說明xs_user_10這個application user即具有了創建heavyweight session的權限,也具有了創建light weight session的權限
[oracle@scaqai06adm07 bin]$ ./sqlplus "xs_user_10/tdetest2@scaqai06adm07:1521/tdetest2pdb10888"
SQL*Plus: Release 21.0.0.0.0 - Production on Mon Feb 15 08:32:23 2021
Version 21.1.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.1.0.0.0
08:32:23 SQL> show user;
USER is "XS_USER_10"
08:32:59 SQL> select user_name,sessionid,database_sessionid from dba_xs_active_sessions;
USER_NAME SESSIONID DATABASE_SESSIONID
-------------------- -------------------------------- ------------------
XS_USER_10 BB6387D55069D8F9E053D529850A97C2 6419
Elapsed: 00:00:00.01
能夠從dba_xs_active_sessions里面查看到這個application session已經attach到了一個database session,所以說明attach session的權限也有了
08:34:03 SQL> select user_name,sessionid from dba_xs_sessions;
USER_NAME SESSIONID
-------------------- --------------------------------
XS_USER_10 BB6387D55069D8F9E053D529850A97C2
Elapsed: 00:00:00.00
08:35:14 SQL> exec dbms_xs_sessions.set_session_cookie('cookie_test_xs_user_10','BB6387D55069D8F9E053D529850A97C2');
BEGIN dbms_xs_sessions.set_session_cookie('cookie_test_xs_user_10','BB6387D55069D8F9E053D529850A97C2'); END;
*
ERROR at line 1:
ORA-46070: insufficient privileges
ORA-06512: at "SYS.DBMS_XS_SESSIONS_FFI", line 303
ORA-06512: at "SYS.DBMS_XS_SESSIONS", line 193
ORA-06512: at line 1
Elapsed: 00:00:00.01
可這么的錯誤說明是沒有alter session的權限啊,命名administer_session是包含modify session這個權限的呢?這是怎么回事?
下面是分析錯誤的程序ORA-46070: insufficient privileges
已經對xs_user_10這個application user賦予了xsdba這個application role,這個application role xsdba已經被賦予了database role dba,莫非database role dba沒有alter session的權限?
08:52:35 SQL> select grantee,privilege from dba_sys_privs where privilege='ALTER SESSION' and grantee='DBA';
GRANTEE PRIVILEGE
-------------------- -------------
DBA ALTER SESSION
Elapsed: 00:00:00.01
DBA這個角色也有alter session的權限,不知道是為什么
下面采取首先用一個database user pdbadmin連接資料庫的方式來操作一下
[oracle@scaqai06adm07 bin]$ ./sqlplus "pdbadmin/tdetest2@scaqai06adm07:1521/tdetest2pdb10888"
SQL*Plus: Release 21.0.0.0.0 - Production on Mon Feb 15 08:54:39 2021
Version 21.1.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Last Successful login time: Mon Feb 15 2021 07:20:03 -08:00
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.1.0.0.0
08:54:40 SQL> declare
08:54:50 2 sid raw(16);
08:54:54 3 begin
08:54:56 4 dbms_xs_sessions.create_session('xs_user_10',sid);
08:55:14 5 dbms_xs_sessions.attach_session(sid);
08:55:24 6 dbms_xs_sessions.set_session_cookie('cookie_test_xs_user_10',sid);
08:55:43 7 end;
08:55:45 8 /
declare
*
ERROR at line 1:
ORA-46070: insufficient privileges
ORA-06512: at "SYS.DBMS_XS_SESSIONS_FFI", line 303
ORA-06512: at "SYS.DBMS_XS_SESSIONS", line 193
ORA-06512: at line 6
Elapsed: 00:00:00.02
還是碰到這個錯誤,
下面單獨賦予xs_user_10這個用戶 modify_session的權限
08:58:05 SQL> exec xs_acl.grant_privilege(acl=>'wgz_acl',privilege=>'modify_session',principal=>'xs_user_10');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
09:02:27 SQL> select acl,ace_order,grant_type,principal,privilege from dba_xs_aces where acl='WGZ_ACL' order by ace_order;
ACL ACE_ORDER GRANT PRINCIPAL PRIVILEGE
-------------------------------------------------- ---------- ----- -------------------- --------------------
WGZ_ACL 1 GRANT XS_USER_10 administer_session
WGZ_ACL 2 GRANT XS_USER_11 modify_session
WGZ_ACL 2 GRANT XS_USER_11 create_session
WGZ_ACL 2 GRANT XS_USER_11 attach_session
WGZ_ACL 3 GRANT XS_USER_12 create_session
WGZ_ACL 3 GRANT XS_USER_12 modify_session
WGZ_ACL 4 GRANT XS_USER_10 MODIFY_SESSION
7 rows selected.
可以看到單獨對xs_user_10這個用戶賦予了modify_session這個權限了
在賦予了這個權限之后還是不能set session cookie
09:12:41 SQL> declare
09:12:47 2 sid raw(16);
09:12:50 3 begin
09:12:52 4 dbms_xs_sessions.create_session('xs_user_10',sid);
09:13:05 5 dbms_xs_sessions.attach_session(sid);
09:13:15 6 dbms_xs_sessions.set_session_cookie('cookie_in_problem',sid);
09:13:34 7 end;
09:13:35 8 /
declare
*
ERROR at line 1:
ORA-46070: insufficient privileges
ORA-06512: at "SYS.DBMS_XS_SESSIONS_FFI", line 303
ORA-06512: at "SYS.DBMS_XS_SESSIONS", line 193
ORA-06512: at line 6
Elapsed: 00:00:00.01
就是因為加了ACL,所以導致無法set_session_cookie,所以問題肯定是在ACL這里,明天可以嘗試將ACL去除試試看
明天排查問題,首先將這個ACL洗掉掉,然后使用sys用戶創建一遍試試(通過最終的排查,問題不在于這個ACL是sys創建,還是pdbadmin這個用戶創建,和創建用戶無關)
要不就是在systemacl那個ACL加上看看,在這個里面加,應該是要呼叫xs_admin_util.grant_system_privilege這個procedure
首先我洗掉了這個ACL,然后用sys用戶重新建了一遍
我故意將其中一個權限寫錯了administer_session1,發現沒有 報錯,說明在權限名稱這里沒有進行驗證,對于user這里,其實也沒有驗證這個user是不是真的存在
所以得到的教訓就是權限這里要用大寫寫,不能用小寫
(最終結論是其實用小寫寫,也沒問題,小寫一樣能夠執行成功,所以不是小寫的問題,雖然將權限寫錯了也不報錯administer_session1)
00:12:50 SQL> show user;
USER is "SYS"
00:14:23 SQL> declare
ace_list xs$ace_list;
begin
ace_list:=xs$ace_list(xs$ace_type(privilege_list=>xs$name_list('"administer_session1"'),granted=>true,principal_name=>'xs_user_10'),
xs$ace_type(privilege_list=>xs$name_list('"create_session"','"modify_session"','"attach_session"'),granted=>true,principal_name=>'xs_user_11'),
xs$ace_type(privilege_list=>xs$name_list('"create_session"','"modify_session"'),granted=>true,principal_name=>'xs_user_12'));
xs_acl.create_acl(n00:14:30 2 ame=>'wgz_acl',ace_list=>ace_list,sec_class=>'sessionprivs',description=>'wgz session management');
end;
/
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
最后解決問題的方法是通過xs_admin_util.grant_system_privilege這個方法來實作的,執行了這個procedure之后,在set_session_cookie就不會報錯了
具體ACL哪里出了錯,沒找出來
00:40:15 SQL> exec xs_admin_util.grant_system_privilege('MODIFY_SESSION','XS_USER_10',xs_admin_util.ptype_xs);
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
00:42:16 SQL> exec dbms_xs_sessions.set_session_cookie('ccc');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
終于找到問題之所在了,通過查詢dba_xs_objects這個視圖,發現里面有個物件sessionprivs 是invalid的,我發現調用xs_acl.create_acl如果指定的security class不存在的話,則會默認創建這個security class,問題就出在了這里,這個security class的狀態為invalid在dba_xs_objects里面查詢(造成這個錯誤的原因是直接從檔案上抄的例子,檔案上有錯誤)
通過指定已經存在的security class SESSION_SC,則會解決問題
01:53:09 SQL> declare
ace_list xs$ace_list;
begin
ace_list:=xs$ace_list(xs$ace_type(privilege_list=>xs$name_list('"ADMINISTER_SESSION"'),granted=>true,principal_name=>'xs_user_10'),
xs$ace_type(privilege_list=>xs$name_list('"CREATE_SESSION"','"MODIFY_SESSION"','"ATTACH_SESSION"'),granted=>true,principal_name=>'xs_user_11'),
xs$ace_type(privilege_list=>xs$name_list('"CREATE_SESSION"','"MODIFY_SESSION"'),granted=>true,principal_name=>'xs_user_12'));
xs_acl.create_acl(name=>'wgz_acl',ace_list=>ace_list,sec_class=>'SESSION_SC',description=>'wgz session management');
01:54:42 2 end;
/
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
01:54:42 SQL> exec xs_principal.set_acl('xs_user_10','wgz_acl');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
結論:
1.在創建ACL時,privilege的名稱并不驗證,但是用小寫,也沒問題,在xs
n
a
m
e
l
i
s
t
指
定
權
限
時
x
s
name_list指定權限時 xs
namel?ist指定權限時xsname_list(’“ADMINISTER_SESSION”’) ,加不加雙引號都行(使用不使用雙引號都不進行權限驗證),加了雙引號,則大小寫會和dba_xs_aces里的大小寫一致,如果不使用雙引號,則無論使用大小寫,在視圖dba_xs_aces里面查詢都是大寫,
2.使用sys用戶或者別的用戶創建ACL,都沒問題
3.在創建ACL時,要指定正確的security class,指定錯誤的security class,create application session和attach application session沒問題,但是set application session的cookie時就會有問題
4.使用xs_admin_util.grant_system_privilege這個procedure給application user設定權限后,也可以解決問題,ACL和通過xs_admin_util.grant_system_privilege算是兩個層次,xs_admin_util.grant_sysem_privilege這個是在修改sessionacl這個ACL,
############################################
等有時間整理一遍沒有錯誤的執行程序
##############################################
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/260423.html
標籤:其他
上一篇:Mysql學習記錄(2)